1. Field of the Invention
The present invention relates to computer system security. More particularly, the present invention relates to identifying and removing malicious code from a computer system.
2. Description of the Related Art
Traditional file-based malicious code signatures, also called anti-viral (AV) signatures, have become increasingly more difficult to use as a viable technique for detecting malicious code, commonly termed malware. Malicious code authors have been quickly developing advanced techniques to modify the binary malicious code files to evade detection by file-based AV signature techniques. A common evasion technique being used today is for the malicious code author to simply apply a packer or a level of custom obfuscation to an existing malicious code, thereby creating a new variant of the malicious code. The new variant behaves the same as the original malicious code but typically cannot be detected by a file-based AV signature developed for the original malicious code.
There are many standard malicious code sets, commonly called toolkits, available on the web today that malware authors can use to simply “repack” or modify existing malicious code to evade file-based AV signature detection. Applying the repacking toolkit usually does not even require a malicious code author to have significant development skills or access to the malicious code source itself; a new variant can be created by simply repacking the executable code.